Threat Management, Malware

U.S. charges alleged members of “Evil Corp” cybercrime group for Zeus and Dridex campaigns

The U.S. today announced legal and regulatory action against the powerhouse cybercriminal group Evil Corp, filing hacking and bank fraud charges against two of its suspected members. Authorities are also offering a $5 million bounty for information leading to the arrest or conviction of one of the group's alleged masterminds, 32-year-old Maksim Yakubets of Moscow, Russia, who has worked for the Russian intelligence agency FSB.

Evil Corp has long been tied to financially motivated cyberattacks featuring the Zeus trojan and Bugat (aka Dridex) malware, both of which were primarily designed to steal banking credentials from infected individuals.

In a press release, the U.S. Justice Department announced the unsealing of a 10-count indictment in Pittsburgh, Penn. against Yakubets, as well as Igor Turashev, 38, from Yoshkar-Ola, Russia.

The two men are accused of distributing Bugat/Dridex, a malware that presents victims with a fake banking webpage in order to trick them into entering their sensitive information, allowing attackers to then exfiltrate it. Authorities estimate that Dridex has been responsible for the theft of at least $100 million from financial institutions in over 40 countries.

Yakubets is alleged to be the leader of the Bugat operation, spearheading the malware's development, maintenance and distribution as well as managing the financial theft and money mules. Turashev, on the other hand, allegedly handled system administration, management of the internal control panel and oversight of botnet operations, the DOJ said. For this, the two men faces charges of conspiracy, computer hacking, wire fraud and bank fraud.

A separate criminal complaint was also unsealed against Yakubets in Lincoln, Nebraska, for his alleged role in a conspiracy that leveraged Zeus malware to steal roughly $70 million from bank accounts in the U.S. and around the world. Yakubets faces bank fraud charges in this case.

The U.S. State Department is offering the $5 million bounty for Yakubets via its Transnational Organized Crime (TOC) Rewards Program. It is the largest-ever reward offered for a cybercriminal.

The U.K.'s National Crime Agency significantly collaborated in the investigation, and law enforcement entities from The Netherlands, Germany, Belarus, Ukraine, and the Russian Federation assisted as well.

Also, the U.S. Treasury Department's Office of Foreign Assets announced today that it would be sanctioning Evil Corp by leveling sanctions against 17 individuals and seven entities believed to support the group's activities. "As a result of today's designations, all property and interests in property of these persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them," the Treasury Department stated in a press release. "Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked."

In both the case of Bugat/Dridex and Zeus, Yakubets and various Evil Corp co-conspirators would log onto online banking accounts using credentials stolen by the malware, and then illegally drain their funds into attacker-controlled accounts. Both operations relied on the use of both automated bots, as well as money mules who would move the stolen money around. (Just yesterday, the DOJ announced a widespread crackdown on money mule activity.)

The Zeus campaign started in May 2009 and victimized 21 municipalities, banks, companies and non-profit organizations across the U.S., including Bank of America, the First National Bank of Omaha and the town of Egremont, Mass.

The Bugat/Dridex indictment, meanwhile, covers activities that occurred as far back as 2011 and recently as last March 19. This includes attacks that victimized the First National Bank, the First Commonwealth Bank, the Sharon City School District, Penneco Oil Company, firearm manufacturer Remington Outdoor Company, building materials supplier 84 Lumber, vacuum and thin film deposition technology company Kurt J. Lesker Company, and metal manufacturer JWF Industries.

"Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide," said Assistant Attorney General Brian Benczkowski in the DOJ release. "These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyberattacks"

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.